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What is X-KEYSCORE? 
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What is XKEYSCORE? 




A (DNI) SIGDEV Tool 



It gives you the ability to discover things 
that you otherwise wouldn't have seen 
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What makes XKS so good at SIGDEV? 

XKS gives analysts unique access to 
terabytes of content and meta-data 




o "ypically sites select and forward to 
PINWALE less than 5% of the DNI 
they're processing 



• The rest of that data used to be dropped 
but is now being retained temporarily 
and made available to analysts through 
X-KEYSCQRE 

© As an example, at one our sites XKS 
sees more data per day than all of 
PINWALE 
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DNI Discovery Options 





Low 



High 
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Slowing down the Internet" 




XKS goal is to store the full-take 
content for 3-5 days, effectively 
slowing down the Internet" so that 
analysts can go back and recover 
sessions that otherwise would have 
been dropped by the front end 



Meta-data is saved off longer, with the 
goal of 30 days retention 

A lot of analysis can be done through 
meta-data only 'MARINA is meta-data 
only) 
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XKS Storage Times 




Front end storage is limited by resources 
and policy restrictions and will vary by site 



® At some sites, the amount of data we 
receive per day 20+ Terabytes can only 
be stored for as little as 24 hours based 
on available resources 

• Other sites have legal or policy 

restrictions that limit the amount of time 
we can store data (if we can at all) 

® It's a rolling buffer where new data comes 
in and pushes the oldest data out 
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can 1 5 save off" XKS data? 




Content that is "interesting can be pulled 
out of X-KEY3CQRE and pushed to Agility 
or PIN WALE or any other database for 
longer retention 



o Workflows can be set up to automatically 
harvest content out of XKS before it aqes 
off 



o The goal, however, is to use X-KEYSCQRE 
to discover new things, that will end up on 
tasking for future collection 
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How do I access XKS data? 




It's important to know that XKS 
queries meta-data tables only 




• Results from the meta-data tables 
are then linked back to the original 
piece of content 



• Goal of the system is to extract a 
wide range of meta-data for users to 
query 
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What kind of meta-data is produced? 




Classic A-M 

ASF and W MV Metadata 



=3 Alert 




BlackBerry 



2 CWE 
2 Call Logs 



- Category DNI 



Cellular DNI 



Cisco Passwords 



^Document Metadata 



i3 Document Tagging 



Email Addresses 



2 Extracted Files 
2 Full Log DNI 




HTTP Activity 



2 IRC Cafe Geolocation 
Logins and Passwords 
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1 
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Classic N-Z 



Network Logs 
PDF Metadata 



PILBEAM 

Phone Number Extractor 

RBGAN 

REGISTRY 

RTP 

Radius Logs 
RealMedia Metadata 
SIP 

TOR Log 



2 Tech Strings in Documents 



=3 User Activity 



WLAN 
Web Proxy 
Wireshark 
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Examples of "simple" Plug-ins 




[Pldogj-ioD 


©ESC^IFTIOM 


E-mail Addresses 


Indexes every E-mail address seen in a session by 
both username and domain 


Extracted Files 


Indexes every file seen in a session by both 
filename and extension 


Full Log 


Indexes every DNI session collected. Data is 
indexed by the standard N-tupple (IP, Port, 
Casenotation etc.) 


H" _ P Parser 


Indexes the client-side HT""P traffic examples to 
follow) 


Phone Number 


Indexes every phone number seen in a session e.g. 
address book entries or signature block) 
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Examples of "advanced" Plug-ins 




[Ploogj-iin] 


description 


User Activity 


Indexes the Webmail and Chat activity to include 
username, buddylist, machine specific cookies etc. 
(AppProc does the exploitation) 


Document meta- 
data 


Extracts embedded properties of Microsoft Office 
and Adobe PD F files, such as Author, Organization, 
date created etc. 
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Plug-ins 



A single session may contain entries in multiple 
meta-data tables 




• For example, if a single session had a user E- 
mailing an attached word document the following 
plug-ins would extract meta-data: 



PQtag-iD-y 


Monoldl hm ®xti?aist@d].oo 


Full Log 


...bare minimum meta-data like “'o/From IP 
address ports, casenotation sigad etc. 


E-mail 

Addresses 


...any E-mail addresses seen on that page 
(including inside the attached word file) 


Extracted Files 


...the filename and extension of the attachment 


Document Meta- 
data 


...in addition to the filename and extension, any 
embedded properties of the word document like 
Author, last author, organization, date created, 
date last modified etc. 



TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR and NZL//20291123 







f fitWttiUtiCKUli, 








mms 



: ; ^S 






■ ■ ■ vv'.ri^trr; 

'Ss# 






PS 






^•:v- .v--' V. 



"7 7 f 

■•- * vT-r^- — -4,^ ’-<Er 









- ■■ - ■< ■■ "■ *\viVV»4» !“t! 



I + ,T -a. B + l + 



Ihh 



MS 



4 .§l|. ■*«'«■ 



n * 1 • ’ *■' 






k*ji 



"-h h ■■■., -*n, *■* O 



’V. 






-■» + 






■s 



125 Sites 
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KEYSCORE DEPLOYMENTS 
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-KEYSCORE DEPLOYMENTS 






125 Sites 
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Applds and Fingerprints 

• X-KEYSCORE produces an application id 
for each session processed 

® Currently almost 1300 Appids in 28 
categories 

• An Appid is meant to identify a session 
as a particular application 

• Fingerprints are an extensible way of 
tagging sessions 

• Ex: A session Appid d as mail/smtp 
might also contain fingerprints for 
encryption if used in the email 
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Applds and Fingerprints 

Ex: E-Mails witlh) @oij(grw[p)ti®n 




From: "La unchpad OpenPGP Key Confirmation" <noreply@launchpad.net> [Save Address! [Block Sender! 



To : 

Cc: 

Subject: Launchpad: Confirm your OpenPGP Key 
Date: Wed, 31 Dec 2006 10:04:16 -0600 





— BEGIN PGP MESSAGE — 
Varsinn' GnnPG vl 4 Fi fGNU/l imix^ 




Application 


AppID (+Fingerprints) 







m a i l/web m a i l/outb I aze rn a i l/vveb m a i l/o utb I aze h a s_f i n g e rpri nt e n c rypti on/p g p e n c rypti o n/p g p/m e s s a g e 

spflvtVPZsIl vpg67VdH F U p rgvOJ p mj Q I b73 gWmh b DUrZz y G dDRIaS C cF zJA7 OIL 
3X v Crlnin i J4/c9B +k h D az h 1 X Y/S7y N i33Wrl kd3 GO z9DF F 1 1 N u3 1 nwjh3 +n cO p v 
Oly zts QzLFBJB+qJrPvrri KSfzz7tVVp2dj x yfM GoA Y NAf/GO □ hRO Bj qTg O U I qLRVrE 
eEFivrM O nBxCOSHIF rs7 LpZI sTUFp BJ NAkgg u k7 mSfJO dM m UQVSlYlelYl 1 xS GuWv5 + 

U k4 b BwwZI Vp E VH C y G uv8 ux ■ +V+KpSk QtDwd h I pi 2 SZ2S U rnl u pnVBS Ifcnl hVWxZp 
La Y3 rnXq N W hyhzFPFxkh U wq z d/ rM x r C J u c fXG aeisSizZDIQO W'::iTS we7 B wvG8 Bvnr 
QEQVK Y30vW'g +2 pDTPrKq3u E q OwjOJ Y7 KTPlYl r!2 gZLNABD u C J m5 1 RALZq qETTg4 d h 
xVO r9+2ZLty G DXQ h LM yBElYr s4+j i P 1 rd3E+TVV7 J VU e/dPI uy 04 DwOUPk Iwu H cC+ 

StLAu QHM S6Rk B4 a D N d i6 G G9 k E Wvj g2 P vfu M I BWoBjJS RFoDS kB q5t 1 uk g eCx rSx r 
Q4 eTm OFTIA7 1 G3 1 2Xa7Zn i Oz v xiWZ4CAb h H LF +3 ba FD3 1 b4/E Fm R vP B d qyGwU y HD 
Z5EXyHDzl4XIDyEe/aomEqAsUqPs3MZirHHzpbaS3LbG5B5VKAKU59bENpf/KOgT 
a3 1 UAeQI 16 m LzgToVdfh EkPjS b *:0 D rWcZtHeTEtl n V+3 pc2 P58 +G 1 0 D OETiDCA/j 
dh G2b rU wbx n y6Ap7fU5 e 1 ALU3 ry oXKYtO e CXZH o o Y/p9Q I C3 ko H CVVpt G DSgKC x It 
KW/K5 M +Hk x hHy4 WWb 1 37 C Stz e Ld ai3Bd U43KhOZQWWjK7 pDXKKh H LY IGlawRS c Qa 
e6 J +y4 J R 1 KKyXiXY94 E ra a/PO Fz u Y V/Q C J U D p q'WFR22 bXu y4 Fh k as LWM8G +UBHVt 
UfgRx q 3 as 60 D h B D WyOBe LE AdE927VffJgXOvAOzTqBrP7 uZi/Q7ABFFGTQ9n 
=N4CJ 

— END PGP MESSAGE--- 
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Applds and Fingerprints 

Ex: airline E-Tiafisets 



subject: Airblue E-Ticket - JGDTGSWB 

From: Airblue Reservations <website@airblue cotn>; 

Date: Nov 18, 2008 10:41:64 AM 



air 






Reservation No. 







Application AppID (+Fingerprints) 

m ai l/webmai l{/fch o[o mai l/we b ma i l/ya hoo h a s_f i ngerpri nt travel/ai rblue 






21 6876 5643 / 1 ED 610 Peshawar Dubai 29 NOV 08 12:00 O YA90O 15,505.00 OK 





Date /Time 


Method. 


Location 


Description 


Amount 


IS -Nov- 20 03 
3:41 PM 


Travel Agency 


ELhaleej Express- Pew 
Muhammed Yoon as. Mam Branch 


Ticket Sale 


Rs 15,505.00 
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and Fingerprints 

Exs Extremist Forum I Ti t Mcssssigjcss 

0 HTTP Hinder Information Content Type: HTTP/P OST/Form- Data 

P 0 ST y'vti|:i r i vat e . p h p ? d o= i n s e rt p m &■ p m i d= HTTP/ 1 . 1 

Accept: itnme/gif. i ma ge/x-x bitmap, imag e/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-exce 

a p p I i c at i o n/Vn d . m s- p o we rp o i n t , a p p I i c at i □ n/nri s wo rd, V* 

Referer: 

Accept-Language: en-gb 

Content-Type: a p p I i c at i o n/ k - www-f o rim - u rl encoded 

U A- CPU: k36 

Accept-Encoding: gzip, deflate 





Us e r-Ap ert : Mo z i 1 1 a/4 . 0 ^compatible: M S 1 E 7.0 : Wi nd o ws NT 5 . 1 : F D Mj 


Application 


AppID OFingerprintsi) 


nihiilj , wehnihiilj , ifhulletiii.priy,ite_me^ i 5^yeilnsert 


iw;rt^jiioooiiyoiifcOtiT has Jiiiyer print foi unu'em ■emioi.'iil-f;Joj;i 



recipients 
l|cc recipients 
title 




LflJJCij l__\uil_LQ I i- wi - v 3-i ^2009-01-05.-! I jjq! I _A 1 ^ 3 0 US l) y* 1 '■ I *"■ I ■ r- L. 1 1 1 (j ■ i ~~ -Jl r _ il J i n 1 1 4 -U J . -»■ il 1 1 I ( i 1 I .I J 1 ^.yyfc. t 1*1 1 n 

--il L>u jjljj ^1. -- ..il i 'll -^j'l dials f*lK HjbJl I lia- II ^ ObsaioSl 4 JjjQ dd ^ | 4jjiC -J l I' ~ 'I LfUli LLoLlSl = * i. . Jc. 

LjIjn^ii^S l_q 



message 



LclU^. -] > ^ *1 ■ n \ I J jjCl! I pl_=Jl ^ jLllJ I l_jjJlLC- La J I J-lS I l ' ' 1 1 ^ - l ~- jl LcuQ 4 a -i 'liii n I 4 . 1^1 h i 1 ill nil «J Vfr I Jl 'i In'! bj 

4_L-Jl_.il j-cizJil JlEiJ 4:rrT .Jl ClljM t Q_-fi. — ( ^b 4 ; 'i i i~i-- ^j^uiLi _;u I i_Aj '-—Lll.- djl^a<laJl J JLLii -■ ,f if I q L>i j - ■ - j l 
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X-KEYSCORE Workflows 



•X-KEYSCORE workflows are standing 
queries that run on set intervals during the 
day (usually once a day) 

•After action reports can E-mail the results 
of the workflow, parse out data to mailorder 
to other databases and more 



•New GUI’s Workflow Central makes it easy 
to create and manage your workflows 
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XKS Workflows: Easy to Create! 




f 



This system is audited for USSID 13 and Human Rights Act compliance 
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JjaKrgafcrorv Jjjerra 

Fl 0 Explorer 
T-=l Home 



« 

& 



$ 



EYSCORE 



Welcome: dtstua2 switch users 
f'i Home ^ Admin Users 1‘t'S Workflow Central |\ Search Results 0 Statistics ^ Preferences Help 



Welcome to the Beta release of the New XKEYSCORE Home 

Page! 



0 Admin 
0 0 ) Users 
0 0) Workflow Central 



If you have questions or bug reports please go to XKEYSCORE New GUI Forum 

News 



0] All Workflows 
0 My Workflows 
0 0) Search 
0 0 Classic 

0 0 Mutt iSe arch 

01 IP Addresses 



0 | Mac Address 



i0 Username 
10 0 Classic A-M 





ASF and VMMV Metada 



0] Alert 
i0|BlackBerry 
0 CNE 
0 Call Logs 



(U//FOUO) New XKEYSCORE GUI 

(U//FQUO) XKEYSCORE is working on a new GUI that has row reached an open Beta state. 
Follow the link below to try it out, Your account and preferences will automatically be 
transfered when you log in. Please view these training videos to acclimate yourself with the 
new layout and features, Some features have not yet been completed but will still be available 
in the original GUI, Try the new XKEYSCORE GUI (Beta)! 



(U//FOUO 1 ) If you find bugs please report them ONLY in the XKEYSCORE Forums under the 
New GUI section., which can be found here , We will try to fix any bugs as quickly as possible, 
but when experiencing a problem revert back to the original GUI until we can fix it. 



TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR and NZL//20291123 




1 !•>• 7 






ll' 1 * 



TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR and NZL//20291123 



TTY 



i n 



XKS Workflows: Easy to Create! 



MavihgatitMi) Me™ 



£ 



0 £ Workflow 1 Central 
§ Request 
i=3 All Workflows 

t 



Csreihal ferine 5 l 




Welcome to the X-KEYSCORE Workflow Request Wizard, 



felaaioaljiim Merton 



I 



My Work Flows 



hi £ Workflow Central 
m Request 
=3 All Workflows 
=3 My Workflows 



Help Actions T 




Query Type 


Query. Name 


Last Modified 


State g 


m 




dailywlsnfulllogdni2 


2008-1 2-05 15:20:10 


on (xks) 3 


a 


httpjjarser 


Waz_NWFP_F oriegn _G o o g ler s 


2008-12-01 Mu 


on (xks) 


a 


httpjjarser 


Zaheckan jGoogl e rs 


2008-1 1-05 21: 35 57 


on (xks) 


a 


httpjjarser 


G o o g le_Ear1 h jCuer ies 


2008-12-01 1 5: 39: 37 


on (xks) 


a 


tech 


Kuala J u mpur J e c h J a s king 


2008-11-2415:01:00 


on (xks) 


a 




megaproxy 


2008-11-2415:01:09 


on (xks) 


a 


httpjjarser 


Waziristan _NWF P Jnter n et _s e a rches 


2008-11-2415:01:09 


on (xks) 


a 


httpjjarser 


Waz_NWFP_G o o g ler s _c o m jnk 


2008-12-01 15:38:48 


on (xks) 


a 


httpjjarser 


Waz _NWFP_G o o g ler s 


2008-1 2-01 15: 38: 35 


on (xks) 


a 


full Jog 


zahedanjn e g a p rosy 


2008-11-05 21:13:08 


on (xks) 


a 


userjactivrty 


F oreicm_Peer_to_Peer _Chats 


2008-11-21 20:40:41 


on (xks) 


a 


httpjjarser 


G u a rdster_f r om JWaz 


2008-1 1 -21 20:02:40 


on (xks) 


a 


login 


_T_Bone_or a n g e _c o _u k jnass w o rd_ 


2008-12-01 18:10:55 


on (xks) 


a 


tech 


Dail y _Ar a b ic_f rorn JW az 


2008-12-0216:56:28 


on (xks) 


a 


httpjjarser 


Dail y _F ileShar ingJU p loads_f rom JWaz 


2008-12-0216:55:5:3 


on (xks) 


a 




dai ly_w lan_f rom jtioc 


2008-12-1615:10:50 


on (xks) 


a 




dai ly w lan_net w o rk Jog 


2008-12-1615:08:22 


on (xks) 
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Context-Aware Tagging 




• Provides for the ability to task and scan 
for terms only when they appear inside 
the body of documents like Microsoft 
Office or Adobe PD ; s 



• EX: We want to find technical 
documents regarding WIMAX networks 
but tasking the term WIMAX 7 to 
Cadence would flood PINWALE with 
hits. What if we only look for the term 
within documents? 
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#1MTEEM 




ID 


DATETIME 


DATETIME 

END 


TECH 

NAME 


TECH VALUE 


TECH 

FILENAME 


1 


2008-01-01 

04:55:00 


2O08-01-O1 

04:55:01 


wireless 


WIMAX 


NIB 

Ranchor 

Line 

ICHI.doc 


2 


2008-01-01 

04:55:00 


20O8-01-O1 

04:55:01 


satellite 


DVB 


NIB 

Ranchor 

Line 

KHI.doc 



2008-01-01 2008-01-01 
04:55:00 04:55:01 



mac 



CO 

-E 

CD 



O 

03 

1 



a 






7 


BUG M ate 




a 


BUC FEqiK-noy 






LIMB Typs 


Ku 


L 

0 


LIMB Frequency 




L 

L 

ei i 


DV Ei- R.C5 Mo nt type 


DVB STM I0W 


' 


DVE-R.CS Mods m Ss-rial 


Taa 




2 






- 


t 






NIB 

Ranchor 

Line 

KHI.doc 
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Context-Aware Tagging 



Subject: 

E From: 
To: 

■ Co: 



NFF-66024-GCC-KHI 



I 





Pa?#: 



Tje Dec 30 10:57:40 GMT 2008 



Event T 



HTML Plain T® 



Attachment 



IMEI: 



email t „ . , , 

— Model: 6300 



FmCity 

KLOSTf ASC: GCC-KHI 



Symptom: 4100 



Comments: no fault found phone is working properly kindly confirm the fault in detail when and in which condition it 
creates problem related to mention symptom 
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■Context- Aware Scanning 





•Tasking is so flexible that it can include 
regular expressions (REGEXs) with few or 
no anchor points 



•Ex: Can we find documents that have MAC 
addresses in them? 



•The following Regex looks for MAC 
addresses: 

•"(00 1 01 1 02 1 04 1 08 1 10 1 3C |44) : (?= [\d : ] f 0, 1 

2>[a-f])([\da-f]{2}):([\da-f]{2}):([\da- 

f]{2}):([\da-f]{2»:([\da-f]{2})" 
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Context-Aware Scanning 



•Supports full foreign language tagging and 
querying 



•Ex look for common Arabic expressions in 
E-mails coming from the Pakistan tribal 
regions: 






■m 



Ma 

Beta 



Active user: 

Unknown 



From:^^^^^H (^^^^^^grnail com) 

Medium riskYou may not know this sender. Mark as safe [ Mark as unsafe 

Sent: Thu 1/01/09 12:07 PM 
To: 




rn 



UUjj.j JmM i ,1*11'" 
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y % I 
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X-KEYSCORE SIGDEV 




• X-C€EYSC©RE's full take dStjabagg ©f meig-dlt^a Snd 
content make it n powerful SldDEW tool 

• Munv Ptidll applications don't contain strong selectors 
that ell ®w traffic t© fee collected 

• WeP surfing 

• Internet searching 

• ^n©nvm©us file uplSading/MoHnlSdinig 

• The wariet^ of applications processed! and meta-dMa 
available mate X-CCEYSCCME an iteal starting point for 
Pfdl development 
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y % I 
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X-KEYSCORE SIGDEV 




• Scenario 1: Persona /Mim lysis 

• (gloal to identify the "user session" 

• Help answer the question : What did target do 
while he was online? 



o We m ®y fenoM from TgFFIgTHIEF, PXGdWWLE or 

that ®ur target was online at a given time and 
from a giwen IP address, s© we can then search in X- 
KEYS€©^E f©r ewer^thing that happened "around" tDa®t 
©went. 
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XKS SIGDEV: Persona Analysis 



TS A ACTn r E_ USER ACTI\T_TJSFR_1T“ AC T] 

200S 1 229 051406Z "yahoo> 1 1 |l PK 



200S1229 051406Z j tjgejjme * 

20081 - 1? -29 05 : 14:07 

20081229 051406Z j 

2008 12 29 05 : 14:07 

2008:1229 051407Z j 2008:- 12- 2:0 05:14:07 



20081229 

20081229 

20081229 

20081229 

20081229 

20081229 

20081229 

20081229 

20081229 

20081229 

20081229 



051409Z 
05141 0Z 
051410Z 
05141 0Z 
05141 1Z 
051414Z 
051415Z 
051420Z 
051420Z 
051421Z 
051426Z 



2008-12-29 05:14:07 

2D0&-12-5SS 05:14:07 

j 

2008-12-29 05:14:07 
2008 12 29 05:14:07 



j 



j 2008 12 
2008-12- 



2008-12- 



2008-12 
1 2008-12- 
2008-12- 
12 

I? 

2008 I? 
j 2008 12 
2008-12 
2008-12- 



29 05:14:09 
29 05:14:09 
29 05:14:09 
29 05:14:09 
29 05:14:09 
29 05:14:09 
29 05:14:09 
29 05:14:10 
29 05:14:10 
29 05:14:10 
29 05:14:10 
29 05:14:10 



2008-12-29 05:14:10 



2008 12 29 05:14:10 



Search For 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 



Datetime End 
2003-12-29 05:14:18 
2003-12 29 05:1*10 
2003-1 2-29 05:14:18 
2003-12-29 05:1*10 
2003-12-29 05:1*18 
2003-12-29 05:1*18 
2003-12 29 05:1*13 
2003-12 29 05:1*21 
2003-12 29 05:1*21 
2003 12 29 05:1*21 
2003-12-29 05:1*21 



Search Value 



1-12-29 05:1*21 
2003-12-29 05:1*21 
2003-12 29 05:1*21 
2003-12 29 05:1*50 
2003-12 29 05:1*50 
2003 12 29 05:1*50 
2003-12-29 05:1*50 
2003-12-29 05:1*50 
2003-12-29 05:1*50 
2003-12 29 05:1*50 





To IP 
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XKS SIGDEV: Persona Analysis 



■r 




Corruirtg soon: XCCS PUG (qjuor^ fouildor/wgwigr 



username 
username 
usernam 
usemar 
use mar 
use mar 
usernar 
usernar 
usernar 
usernar 
usernar 
usernar 
usernar 
usernar 
usernar 

■ iiPArn-ir 



-12-29 05:14:13 

2ftKJ8-12-29 5:14:13 
anns ■ 13 _ | 3 Q n k.ii.m 



jyahoo 



Jr. 



[Row Actionis 



user_re 

“3( 



j'i I 



Petrs™ a Session CaUedtiun 



Justification: 

Additional Justification: 

Start Date 5s Time: 

Stop Date 8t Time: 

IP (Country Code): 
Also Query IP As: 



Persona session collection for tojp 


= 209, 191. 120. 3[ 




12/29/2003 


□ 


05:09 




(M/D/Y H:M) 




0 From 
0 To 

] X-Forwarded-For IP 



XFF or Client IP: 
Add Search: 



] Extracted File 



12/29/2008 

WrV-AW'AWMVA'ri 


□ 


□5; 19 
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W: 
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XKS SIGDEV: Persona Analysis 



¥/ 



dr 



XKE75QJIRE ftersjbma Sessccn Cofection 
lEigis Hist 



( 



SQlUser 1 



men 



PS C 



PSC 



PSC 



PSC 



S t3 User 2 



00 User 3 






User 1 



User 2 



User 3 



HUP Activity TiiroieOine 



10 11 12 13 14 15 16 17 



IS 



19 



20 



rah® 


com 











coiii.pk 

up 

jiopnews .ru 

jmgsm.ail.ru 




driver, m 
com.tr 



ac ebook, com 



■ambler, ru 



21 



22 



23 24 



25 



26 



27 



2S 



novoteka.ru 

city 24.ru 

jfljSBBg 






3Com 



29 



30 



31 



32 



••n 

■’.i 

ii 

E 





















lhr 


£hr 


3hr 


4b- 


51i 




Ghr 


7hr 


Sb- 



acromedia.com 

33 



■sMW m 



39 



40 



41 



42 



43 



44 



45 46 



47 



48 



49 



BtToi.ws.eri Lost 



5 



Browser 



Mo3illa/4.0 (compatible; MSIEG.O; Windows NT 5/ 4i 
Moiilla/4.0 (compatible; MSIEG.O; Windows NT 5.' 3 
contype 2 

Muzills Compatible/ 2.0 (YYinNT; I; NCC/2 .0) 2 



Username Summary 



i 



Usernames 



-l mail/webmail/gmail (I Item) 



0 mail/webmail/mailru £2 Items) 




Plefeo'er Summary 



- 



Referred Sites 



S ad.yieldmanager.com (3 Items) 
•£l cOiat.yahoo.com (3 Items) 



Esdlr acted! FcOes 



± 



File Name 



Info 



0 Unknown File Extention (1 Item) 

none 



0 facebook.com (2 Items) 


Geographic IP Summary £ 


0 roto.niaal.mi (2 Hems) 


City Country ^ Count 


0 haberler.com (3 items) 


0 From (2 Items) 


H import.ciiy24.ru (1 Item) 


KOHAT PK 205 


xx 1 663 




0 in5ider.m5g.yahoo.com (4 Items) 


Q To (14 Items) 




© mail.yooylQ.com (1 Item) 


GENEVA CH 2 


© mail.rambler.ru (7 Items) 


MOSCOW RU -100 




VEMI TP II 
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XKS SIGDEV: Persona Analysis 



C©rming s®on: XCCS5 P§>(£ (cnu@rw [feu i ldl@r/ warns r 



Username SummauM ^ 



Usernames ra 



0 mail/webmail/gmail (1 Stem) 

3 mail/itfebmail/mailru £2 Stems) 




0 m ail/ web ma j I / ma i 1 m / pest {a I te m) 




0 mail/ web mail; rambler (2 items) 

0 vn ail/web mail/rambler /post (1 Item) 
0 mail/ web mail. -yahoo (5 Items) 




WeDii Searches 




Terms m 


Search Engines 


0 (None) (i Item) 




none 





TfsDTEie Summary 


■ 


AppID or Fingerprint 


c 


@ advertisement 


2 


fflQnttp 


6 


0 Q mail 


1i 


0 □ news 


2 


0 Q] social 


i: 


0 Q unknown 


1: 



rinm ^in Cl imni shu 


IT] 


UOnialM jUIBiniarj? 





Subdomains ® 

±1 adinteraH.com (2 Stems) 

3 edriver.ru (1 Stenm) 

±i ekamai.net (a Item) 

±1 bn5.ru (i Item) 

0 city24.ru (I Item) 

0 com.pk (1 Item) 

±1 com.tr (1 Item) 

3 raceboDk.com j!2 Items) 

0 fbcdn.net if a Item) 

0 gismeteo.ru (i Item) 

0 goDgte.com (1 Item) 

0 haberler.com (3 Items) 

0 imgsmail.ru (1 Item) 

0 macrDmedia.com S3 Items) 
0 mail.ru (7 Items) 
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a a 
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INWFP Example 




New strong selector discovered: badguy@yahoo.com 






Analyst 





n 
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• i I T < 
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XKS SIGDEV: HTTP Traffic 



w 

w 




Exam [pi®: I 
(cju®ri@s e© 
[Psfcigtan 

Inf®rmati< 



Row Pliibiiiiwga 

View Session 



I [jj] View Session (New Window) 

; — Show All Row Values 

Mark Metadata row as Important 



Host 



ww w.y< 



ajuec'y M®c^jTssi fasp iiP: lH8M.ra 



To Port 




F©nt ®@Oil® 
real of 



in HTTP 



Datetime: 2008-1 2-29 07: 21 : 42 (+J-) 




hours 



Fm Country (IP) Fm 




PK 



BAI 




Q Un-Check where Fm IP Equals '1 16 

NKB Lookup 










Query Marina 



l i 
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BiiilininlrTl 



XKS SIGDEV: HTTP Traffic 




I ♦ l_ 



TS A 



USERID PHONE USER A 



ACTIVITY USER B 



20081119 074259Z 



20081119 074259Z 




emailAddr> logged in (email) 116 



emailAddr> logged in (email) 116 



20081119 074304Z 



20081119 0743 16Z 



:emailAddr> logged in (email 116 



20081119 0743 16Z 



20081119 0743 16Z 




ernailAddr> ldggffi in (email 116 



emailAddr> logged in (ena^ 116 



START TIME 



STOP TIME 



DURATION CALL DONE IP .ADDRESS 



1 JSERLD 



20081119 073 14 1Z 20081119 09284 1Z Od 01:57:00 TJNK 



116 



20081119 074357Z 



20081119 074357Z 



20081119 074357Z 



20081119 074357Z 



20081119 074358Z 



20081119 074358Z 



20081119 074358Z 







emailAddr> logged in (email 116 



ernailAddr> logged in (email) 116 



emailAddr> logged in (email) 116 



emailAddr> logged in (email 116 



emailAddr> logged in (email 116 



emaM.ddr> logged in (email) 116 



emailAddr> logged in (email) 116 



20081119 07435SZ 



emailAddr> logged in (email) 116 



20081119 07451 1Z 



■ emailAddr > logge d in (email) 116 







PHONE MAC ADD 
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TTV> * •' 
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i = XKS SIGDEV: HTTP Traffic 





Now make that into a workflow 



X- KEYS CORE E MAILER 



QUERY NAME: Fas_NI]IFP_For iegn_Goo glees 
current time: 2008-11-20 07 : 15 : 15 GHT 
submitted at: 2008-11-20 03 : 55 : 03 GHT 
has 14 result (s) 



SEARCHES 



•wtttj- google . com 




2008-11 

2008-11 

2008-11' 

2008-11' 

2008-11 

2008-11' 

2008-11 

2008-11 

2008-11' 

2008-11 

2008-11 

2008-11' 

2008-11' 

2008 - 11 - 



19 18:54:20 
19 07 : 36:49 
19 07:37:07 
19 08:03 : 17 
19 08 : 05:51 
19 08:06:52 
19 15:01:00 
19 15 : 14:13 
19 15:33:19 
19 04:24:44 
19 04 : 24:59 
19 04:29:29 
19 04:30:04 
19 04 : 31:51 
■ , dl iu ■ 



al qaida (en, en- 
The al-Ikhlas net 
(referer] the al- 
Fo r urn tar i de / 1 An us 
For urn love / g r am ( 
(referer] forum 1 
The hills j i had is 
(referer] the hil 
Uaziristan (cyber 
Scandals (cybertr 
(referer] scandal 
News (cyber trans 
For urn soil ( cyber 
(referer] forum s 



GB) (1) 

work: (cybertrans from Arabic) (1] 

Ikhlas network (cyber trams from Arabic] (3) 

(cybe rtrans from Arabic) (1) 
cybertrans from Arabic) (1) 

□ve/gram (cyber trams from Arabic] (1) 
t ■without inflicting (cybertrans from Arabic] (10) 

Is jihad is t without inflicting (cybertrans from Arabic) 

trams f r om Ar ah i c ) ( 1 ] 

ans from Arabic] (2) 

s (cybertrans from Arabic) (1) 

from Arabic) (1] 

trams from Arabic) (1] 

oil (cybertrans from Arabic] (1) 



(6) 





Workflow Values 


BH IS- 
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i i > |i r i 
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X-KEYSCORE SIGDEV 




• EX: Targets pass links to videos, use XKS to 
discover new targets who have viewed those 
videos 

n HB 00215-09, he promises that the newest video will be ready very soon, and then sends these two links: 

http://www.load.to/ 
http : //www .files .to/g et/l 




Datetime: 



Z Weeks v v 


Start: 


2008-12-23 


□ 




00:00 


ejja 


Stop: 


2009-01-05 


n 




23:59 





m 



HTTP Type: 



Host: 



URL Path: 



www file s.to 



/gel/ 
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X-KEYSCORE SIGDEV 




■ 

■ 

■ 

I TS A 

Datet 



IJSFRID PHONE USER A 



20081231 224606Z 
20081231 224949Z 
20081231 224949Z 
20081231 224949Z 



ACTIVITY 



USER E 




<emailAddr> logged in (email) 59 



emailAddr> logged in (email) 59 
emailAddr> logged in (email) 59 
emailAddr> logged in (email) 59 




20081231 22495 2Z 



emaiiAddr> logged in (email) 59 



20081231 22495 2Z 
20081231 22495 2Z 
20081231 2250 18Z 
20081231 225021Z 




emailAddr> logged in (email) 59 
emailAddr> logged in (email) 59 
emailAddr> logged in (email) 59 
emailAddr> logged in (email) 59 
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X-KEYSCORE SIGDEV 



01 




Homy so find! teehnieal documents ©f interest 



On© Idea: Tate© advantage ©f th© properties 
exploited as meta-data X-CCEVSCOKE like 
th© Author and Organisation 



Lets loote for all documents where th© 
organ isat>ioru field is th© eomupanv we're 
interested in, ex: Marid Telecomra 
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Filename 

PAR_MPBII_GU J_T o troubleshoot ImIPBII end for BSC23.doc 
PAR MPBII GUJ To troubleshoot MFBH end for BSC23.doc 



Extension 



Author 



Last Author 



doc 

doc 




Organization 



Warid Telecom (Pvt.) Ltd. 
Will id Telecom (Pvt.) Ltd. 



wpfor libs troubleshooting 30-1 2-OE. doc 
w|>for libs trouble si loot iny 30-12-fl8.doc 
FIoho SLin^.xl:* 

Fiesta Siyii5.xls 

LOI Will id for 3443 mid 3444 Shortcodes .doc 
LOI Wm id for 3443 iind 3444Shortcodes.doc 
S-ohail IUIalik.xls 




War i<l Telecom (Pvt.) Ltd. 
Warid Telecom (Pvt.) Ltd. 
Wiirid Telecom (Pvt.) Ltd. 
Warid Telecom (Pvt.) Ltd. 
Warid Telecom (Pvt.) Ltd. 
Warid Telecom (Pvt.) Ltd. 
Warid Telecom (Pvt.) Ltd. 

j 

J 



Mair^ ©f th@®@ file® haw® n@t fe@®n 
s®l®ct(S(o], [9®®au§@ ®ith@r th®r@ wms n® §tr®ngj 
s@l@<st®r ®gs®ci®t@(Sf] ®r fth© gtr@mg) s@l@©t®r(s 

weren't tasfeed far HfltHi 
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Questions? 

xkeyscore@nsa 
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Activity 




GET ^^^^^3^.ab=urdu.£OEdeE = 3ortbo^^^^U3harr;^^ioaEio=3&3Cope=UEdu6li:iik=ne}^J}nTP/l. 1 
Accept^^7^ 



Referer: search? tab =urdu£OEier=sortioi±L&£i=imshai:Eaf & scart ! =Z> &scope=urd^^ 

U5eE-Agertt^Hoz^^^/4. 0 (compatible; MS IE 6.0; Uindoifs CTT 5.1; 



Ho s t 



] 



Cookie I BBC-UID=b479a5f4ad230a53063d513630203acb226S4634a0e0bl64c45f96efc054c£950MoEilla%2f4%2e0%20%23ct 



| BE 
uonC 



Cache-UontEol: max-stale =u 



X-BlueCoat-Viaf 66808702E9A93546 | 


Host 


URL Path 


search.bbc.co.uk 


mi ■■■ 1 1 1 1 Q Q Q 1 I ■ ■■■■■ Ml ■■■■■■III I 

/search 



URL Args 



IT ■ ■■ 111 ■ I ■■■■I FIT ■■■■■ M i l 



■ I ■ ■■■ ■ I I I I I I 



tab=urdu&order=SQrtbdh&q=musharraf&d]art=3&%cope=urdu&link=next 






Search Terms 



Language 



■ I ,'TTTTTTTTTTTTTTTTTTTTTTTTTTTT 




Via 



musharraf 



TfTTrnrrrwwrnTrnTfWTm 



en 



Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 ; SV1 ) 66B08702E9A9B546 



■ h ■■■■ ■ 







Referer 



"2 iikiii ii 



Wi¥nFifiW i m , i , glWiWmWtff?WT B , i WiW^ 



http: //search .bbc .co ,uk/search?tab=urdu&order=sortbath&q=musharraf &start=2&scope=urclu 




. 

' 




BBC-UID=b479a5f4ad230a53G63d51 3630203acb22684634a0e0b164c45f96efc054cf950Mozills%2f4%2e0%20%28com 











. 
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- •THLUuXALi d* IT LI. .iK JV ;* *'• T 

■ ■ r-iT^m IT ft . « J4 . | * - ( « r • | « 

Query Hierarchy 



■ i 





Query 




Query 




Query 



Query 



Query 



Query 



FORNSAT site 
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